There's one computer in my house which got hit by...something.

It was acting extremely slow, so I ran a virus scan and cleaned it out. I'm 99% sure that, after looking through every corner of the machine, it is clean.

I've been trying everything, and I thought I ran out of options until today...

It turns out that the machine has about 1880 open network connections (my computer right now currently has 6, just for comparison). Typing netstat -a in the command prompt took forever to list them, and they were ALL connecting to the "foreign address" of a random port on localhost. It's like the computer is DDoSing itself, and I don't know why.

I don't know what to do next. How can I find the source of the network problem? I'm pretty sure there's no malicious software left on here because I've gone through every startup entry and every running service in Process Explorer to check for anything irregular. Everything looks normal, though.

I've noticed my computer being slow lately too. Just put that command in cmd, and I've got tons of connections as well. Quite a bit to localhost alone, at least 30 or 40. I'm interested in the answer too.

See what happens when you boot safe mode with networking. If it's fixed, then one of the services/processes has a problem. Otherwise, something in Windows got tinkered with.

The system is so slow right now the only way to actually use it is in safemode. I do recall it being faster, but I haven't run netstat since I discovered the problem. I'm guessing it's a service, though.

Now how would I pinpoint it? :-/

Task Manager, Performance tab, Resource Monitor button at the bottom, and the tabs will show the services using the respective parts (CPU, Network, etc).

I should have mentioned it was Windows XP, so it doesn't have that.

But I did use Process Explorer, which is just as useful, if not more useful with its detailed views.

From what I have seen (from memory), I believe the CPU is very low (5-10%), network activity is almost none, and memory is 550 MB (only 256 MB of physical memory in the system; normal idle was around 130 MB). No one process stands out as using any large amount of memory. The total processes is 44 (what I have found to be typical on a computer).

and memory is 550 MB (only 256 MB of physical memory in the system

I'm taking wild stab that that could be your problem. Unless your computer has so much shit that the massive usage of Virtual Memory is making it run slower than a 300 pound kid having anal sex with a hippo, you've probably got something running in the background that's fucking your shit up bad.

Check the processes list for anything that doesn't seem normal; chances are it's probably a rouge SVCHOST.EXE file and therefore hard to detect, but you never know.

why not just reformat?

why not just reformat?Because you lose all your installed shit and don't want to spend time reinstalling everything/searching the internets for programs you no longer have the installers/discs for. This is the reason why I've never reformatted since I first installed Windows. I keep it clean, and it works fine.

Post HijackThis. But before you do rename it to something like "shirts.exe" or something like that. Malware often hides from HijackThis so a simple name change might help.

You might have a worm though. And if you post your HJT log I might also be able to see what network connections are going through.
Chances are your AV didn't fully remove it.

btw: netstat will always take a long time to list things because it's trying to run a reverse-lookup on the IPs, try the -n option, meaning "numeric" for significantly faster output.

Have you tried defragging the disk?

Yes, have you tried something like Ccleaner or Defraggler?
http://www.defraggler.com/
http://www.ccleaner.com/

How do I hide the URL so that is says something like "Here" instead of the URL?

Yes, have you tried something like Ccleaner or Defraggler?
http://www.defraggler.com/
http://www.ccleaner.com/

How do I hide the URL so that is says something like "Here" instead of the URL?
Do you have to post in response to just about everything? You're just as bad as Robert Graham.

In order to turn text into a hyperlink, you need to highlight the text, click this button: http://www.modacity.net/forums/images/editor/createlink.gif, enter the link and hit ok.

It's actually me attacking you're computer Jcap, sorry about that. :p

Did you scan for conficker?

You could try a system restore...but you might not a point handy...

Wild guess, your pc is part of a botnet? Your pc is the zombie.

Perhaps dust is in the pc, its a long shot but it can really slow pcs down. Try opening case and cleaning the dust out.

There's nothing that HijackThis reveals. All normal.

I just don't understand why I'm not even getting a firewall alert for this. If it was part of a botnet, it would be communicating to the network. Also, it would have to be starting up somewhere, but all startup options and services are clean. And I don't think it's hooked into winlogon, or lsass because nothing is exposed under Process Explorer. I just don't understand why it is trying to DDoS itself, either.

Are you 100% sure your log is clean?
What firewall are you using?
There might be a slight chance your winsock is corrupt
http://www.softpedia.com/progDownload/WinSockFix-Download-15337.html
Does the problem go away when you disconnect from the interenet?

Check your Hosts file. Some malware might have redirected Windows Update or a similar process to 127.0.0.1

post HJT log!

hosts is clean. Only thing in there is the entry for localhost.

I think I may have found the problem, though it still seems to be a little slower than it was before. NOD32 seems to have put a gun to its head and pulled the trigger. Although the ports weren't the same as they were the other day, this time when I did netstat I noticed that there were 1500 open connections from sequential ports to 30606. A little search on Google said it was a port NOD32 used. So, I uninstalled it and now it's down to 5.

I think the installation may have been corrupted or something. There was no tray icon at all, but it was still running. Though, the program seemed to run fine.

Are you 100% sure your log is clean?
What firewall are you using?
There might be a slight chance your winsock is corrupt
http://www.softpedia.com/progDownload/WinSockFix-Download-15337.html
Does the problem go away when you disconnect from the interenet?
You sir, surprise the shit out of me at the strangest times.

You can be quite random and shit posty, then contribute to the point quite well, then know every fucking thing about a topic.

itscrzy.